Enumeration
I started by scanning the target machine for any open ports and services running on those ports.
This scan discovered two ports, which include port 22 (SSH) and port
5001 (HTTP). Port 5001 appears to be hosting a website created by the
professor.
Reading this web-page, I discover the class is learning about a
functional programming language called Haskell and has been provided a
link to a homework assignment. Visiting this link presents a new
web-page.
Reading this web-page, I discovered that a Haskell file can be uploaded
to the target machine, where it will then be compiled and executed. A
link is provided to allow me to submit my Haskell file, but this gives
me a not found message.
I figured there was a way to upload a Haskell script and decided to
enumerate the website some more using wfuzz to find any hidden
directories.
wfuzz -c --hc=400 -z file,/opt/wordlists/medium.txt http://$IP/FUZZ
I discovered a single page called “/submit” using wfuzz
Haskell Reverse Shell
Visiting the “/submit” page provides an upload link where I can submit a Haskell script.
I know that when I upload a Haskell script, it will be compiled and
executed. With this in mind, I spent sometime learning about the Haskell
programming language. I discovered that I could execute system commands
using the Haskell language. I created a “test.hs” Haskell script that
uses the “callCommand” which creates a new process to run the specified
shell command.
By uploading my “test.hs” script, I was able to successfully list the
contents of the current directory my script was uploaded to and executed
in.
Based on this response, the next step I took was to upload a Haskell
script that would create a reverse shell on the target machine. The
script I used can be seen below.
After setting up net-cat to listen on port 4444, I uploaded my reverse
shell Haskell script. This was compiled and executed, which resulted in a
reverse shell being created.
As can be seen in the image above, I am logged in as the user “flask”.
Listing the contents of the “/home” directory, I can see there are two
other users called “HaskHell” and “prof”.
Looking in the “/prof” users directory, I found the user flag for this ctf.
Privilege Escalation
I
continued performing some manual enumeration and discovered the private
SSH key used to login as the user “prof” in their home directory.
I copied this rsa private key to my host device and used “chmod” to give
the file 600 permissions. I can then use this key to SSH into the
target machine as the user prof.
ssh -i id_rsa_prof prof@$IP
Root Privilege Escalation
Once logged in as the user “prof”, I check to see what commands can be run with root privileges using Sudo.
It appears I can execute “/usr/bin/flask run” command with root
privileges using Sudo. However, when I try running this command I
receive an error.
Some searching online revealed that the “FLASK_APP” environment variable
is used to specify how to load the application. I can use this
environment variable to specify a script which will then be executed
with root privileges when I run the “/usr/bin/flask run” command. I
created a simple python script that spawns a tty shell when executed and
will hopefully have root privileges.
I then set the “FLASK_APP” environment variable to load my “root.py” script.
Once the environment variable is set, I execute the the “/usr/bin/flask
run” command and I will have a new shell with root privileges.
Navigating to the “/root” directory, I found the root flag.
Thank you for reading this writeup!
Post a Comment
Comments here, cracks!